By completing these labs, you will be able to:
IoT security hands-on labs provide the practical experience of implementing, attacking, and defending real IoT systems that is essential for developing genuine security competence — reading about TLS is not the same as configuring certificate pinning on an ESP32 and observing the difference in Wireshark. Each lab translates a security concept into observable evidence, building the intuition needed for real-world security decisions.
This hands-on chapter lets you practice IoT security concepts through exercises and scenarios. Think of it like a fire drill – practicing your response to threats in a safe environment prepares you to handle real incidents effectively. Working through these exercises builds the practical skills needed to secure real IoT deployments.
Security concepts are best learned by building and breaking things in a controlled environment. This chapter provides two progressive hands-on labs using Wokwi ESP32 simulators. Lab 1 focuses on preventive controls – authentication, rate limiting, and command validation – that block the majority of automated attacks. Lab 2 adds detective controls – anomaly detection and threat level management – that catch sophisticated attacks bypassing static rules. Together, these labs demonstrate the defense-in-depth principle central to IoT security.
This lab demonstrates core IoT security principles using an ESP32 microcontroller. You will implement authentication, rate limiting, and secure command validation.
Rate Limiting Mathematics for IoT Authentication
When implementing rate limiting for IoT device authentication, understanding the quantitative trade-offs is essential:
\[\text{Brute Force Time} = \frac{N}{r}\]
where \(N\) is the keyspace size and \(r\) is the attempt rate (attempts/second).
Example: 4-digit PIN without rate limiting \[T = \frac{10{,}000 \text{ combinations}}{100 \text{ attempts/sec}} = 100 \text{ seconds} \approx 1.7 \text{ minutes}\]
With rate limiting (3 attempts per 30 seconds): \[T = \frac{10{,}000}{3 \text{ attempts} / 30\text{s}} = \frac{10{,}000}{0.1} = 100{,}000 \text{ seconds} \approx 27.8 \text{ hours}\]
Lockout duration calculation (exponential backoff): \[D = k \times 2^{(n-1)}\]
where \(D\) is lockout duration, \(k\) is base duration (30s), and \(n\) is the failure count. In practice, the backoff begins after exceeding a threshold (e.g., after 2 allowed attempts):
Progressive backoff example:
After just 5 failed attempts, the attacker faces an 8-minute delay – making automated brute force attacks economically infeasible.
| Component | Purpose | Wokwi Element |
|---|---|---|
| ESP32 DevKit | Main controller with security logic | esp32:devkit-v1 |
| Green LED | Indicates authenticated/authorized state | led:green |
| Red LED | Indicates unauthorized access attempt | led:red |
| Yellow LED | Indicates rate limit warning/lockout | led:yellow |
| Push Button | Trigger authentication attempt | button |
| Resistors (3x 220 ohm) | Current limiting for LEDs | resistor |
ESP32 Pin Connections:
---------------------
GPIO 2 --> Green LED (+) --> 220 ohm Resistor --> GND
GPIO 4 --> Red LED (+) --> 220 ohm Resistor --> GND
GPIO 5 --> Yellow LED (+) --> 220 ohm Resistor --> GND
GPIO 15 --> Push Button --> GND (use internal pullup)/*
* Secure IoT Device with Authentication
* Demonstrates: Token auth, rate limiting, command validation
*/
#include <Arduino.h>
// PIN DEFINITIONS
const int LED_AUTH_OK = 2; // Green LED - Authorized
const int LED_AUTH_FAIL = 4; // Red LED - Unauthorized
const int LED_RATE_LIMIT = 5; // Yellow LED - Rate limited
const int BUTTON_PIN = 15; // Authentication trigger
// SECURITY CONFIGURATION
const char* VALID_TOKENS[] = {
"IOT_SEC_TOKEN_2024_A1B2C3",
"IOT_SEC_TOKEN_2024_D4E5F6",
"ADMIN_MASTER_KEY_SECURED"
};
const int NUM_VALID_TOKENS = 3;
// Rate limiting configuration
const int MAX_FAILED_ATTEMPTS = 3;
const unsigned long LOCKOUT_DURATION = 30000; // 30 seconds
const unsigned long MIN_ATTEMPT_INTERVAL = 1000; // 1 second
// Valid commands whitelist
const char* VALID_COMMANDS[] = {
"STATUS", "LED_ON", "LED_OFF", "GET_TEMP", "RESET"
};
const int NUM_VALID_COMMANDS = 5;
// SECURITY STATE
struct SecurityState {
int failedAttempts;
unsigned long lockoutStartTime;
unsigned long lastAttemptTime;
bool isLocked;
bool isAuthenticated;
String currentToken;
String sessionId;
} secState;
void setup() {
Serial.begin(115200);
pinMode(LED_AUTH_OK, OUTPUT);
pinMode(LED_AUTH_FAIL, OUTPUT);
pinMode(LED_RATE_LIMIT, OUTPUT);
pinMode(BUTTON_PIN, INPUT_PULLUP);
// Initialize security state
secState.failedAttempts = 0;
secState.isLocked = false;
secState.isAuthenticated = false;
Serial.println("Secure IoT Device Ready");
Serial.println("Commands: AUTH <token>, CMD <command>, LOGOUT");
}
void loop() {
// Handle button press for quick auth test
static bool lastButtonState = HIGH;
bool currentButtonState = digitalRead(BUTTON_PIN);
if (lastButtonState == HIGH && currentButtonState == LOW) {
authenticate("IOT_SEC_TOKEN_2024_A1B2C3");
}
lastButtonState = currentButtonState;
// Handle Serial commands
if (Serial.available()) {
String input = Serial.readStringUntil('\n');
input.trim();
processCommand(input);
}
// Handle lockout expiration
if (secState.isLocked) {
unsigned long elapsed = millis() - secState.lockoutStartTime;
if (elapsed >= LOCKOUT_DURATION) {
secState.isLocked = false;
secState.failedAttempts = 0;
digitalWrite(LED_RATE_LIMIT, LOW);
Serial.println("[SECURITY] Lockout expired");
}
}
delay(50);
}
bool authenticate(const String& token) {
// Check if rate limited
if (secState.isLocked) {
Serial.println("[BLOCKED] Account locked");
return false;
}
// Rate limiting check
unsigned long now = millis();
if (now - secState.lastAttemptTime < MIN_ATTEMPT_INTERVAL) {
Serial.println("[RATE_LIMIT] Too fast!");
return false;
}
secState.lastAttemptTime = now;
// Validate token
bool tokenValid = false;
for (int i = 0; i < NUM_VALID_TOKENS; i++) {
if (token == VALID_TOKENS[i]) {
tokenValid = true;
break;
}
}
if (tokenValid) {
secState.isAuthenticated = true;
secState.failedAttempts = 0;
digitalWrite(LED_AUTH_OK, HIGH);
Serial.println("[SUCCESS] Authenticated");
return true;
} else {
secState.failedAttempts++;
Serial.print("[FAILED] Attempts: ");
Serial.println(secState.failedAttempts);
if (secState.failedAttempts >= MAX_FAILED_ATTEMPTS) {
secState.isLocked = true;
secState.lockoutStartTime = millis();
digitalWrite(LED_RATE_LIMIT, HIGH);
Serial.println("[LOCKED] 30 second lockout");
}
// Flash red LED
digitalWrite(LED_AUTH_FAIL, HIGH);
delay(200);
digitalWrite(LED_AUTH_FAIL, LOW);
return false;
}
}
void processCommand(const String& input) {
if (input.startsWith("AUTH ")) {
authenticate(input.substring(5));
}
else if (input.startsWith("CMD ")) {
if (!secState.isAuthenticated) {
Serial.println("[ERROR] Not authenticated");
return;
}
String cmd = input.substring(4);
executeCommand(cmd);
}
else if (input == "LOGOUT") {
secState.isAuthenticated = false;
digitalWrite(LED_AUTH_OK, LOW);
Serial.println("[AUTH] Logged out");
}
}
void executeCommand(const String& command) {
// Whitelist validation
bool valid = false;
for (int i = 0; i < NUM_VALID_COMMANDS; i++) {
if (command == VALID_COMMANDS[i]) {
valid = true;
break;
}
}
if (!valid) {
Serial.println("[REJECTED] Invalid command");
return;
}
// Execute validated command
if (command == "STATUS") {
Serial.println("Device: ONLINE");
}
else if (command == "LED_ON") {
digitalWrite(LED_AUTH_OK, HIGH);
}
else if (command == "LED_OFF") {
digitalWrite(LED_AUTH_OK, LOW);
}
else if (command == "GET_TEMP") {
float temp = 22.5 + (random(0, 50) / 10.0);
Serial.print("Temperature: ");
Serial.println(temp);
}
else if (command == "RESET") {
secState.failedAttempts = 0;
secState.isLocked = false;
secState.isAuthenticated = false;
digitalWrite(LED_AUTH_OK, LOW);
digitalWrite(LED_RATE_LIMIT, LOW);
Serial.println("[RESET] Security state cleared");
}
}AUTH wrong_password (should fail)AUTH IOT_SEC_TOKEN_2024_A1B2C3 (should succeed)CMD STATUSCMD DROP_TABLE (should be rejected)| Concept | Implementation | Real-World Application |
|---|---|---|
| Token Authentication | Whitelist of valid tokens | API keys, JWT tokens |
| Rate Limiting | Max attempts with lockout | Brute force prevention |
| Command Whitelisting | Only approved commands execute | Injection attack prevention |
| Visual Feedback | LED indicators for states | Security dashboards |
| Audit Logging | Serial output of all events | SIEM systems |
Question: In the Lab 1 code, the lockout mechanism uses millis() to track timing. If an attacker power-cycles the ESP32 to reset the lockout timer, how would you make the rate limiting persistent across reboots?
Answer: Store the failedAttempts count and lockoutStartTime in non-volatile storage (EEPROM or NVS on ESP32). On boot, read these values and check if the lockout period has elapsed. This prevents attackers from bypassing rate limiting by simply restarting the device. The ESP32’s Preferences library provides a simple API: preferences.putUInt("failedAttempts", secState.failedAttempts).
This lab builds on the authentication lab to add anomaly detection and intrusion prevention capabilities. It reuses the same circuit as Lab 1 (three LEDs on GPIO 2, 4, and 5), with the LEDs repurposed to indicate threat levels instead of authentication states.
/*
* IoT Threat Detection System
* Demonstrates: Anomaly detection, DoS protection, attack correlation
*/
#include <Arduino.h>
#include <math.h>
const int LED_NORMAL = 2; // Green - Normal operations
const int LED_WARNING = 4; // Yellow - Elevated threat
const int LED_CRITICAL = 5; // Red - Critical threat
// Baseline for anomaly detection
float sensorBaseline = 25.0;
float sensorStdDev = 2.0;
// Rate limiting
const int MAX_REQUESTS_PER_SECOND = 10;
int requestCount = 0;
unsigned long lastSecond = 0;
// Threat level
enum ThreatLevel { NORMAL, LOW, MEDIUM, HIGH, CRITICAL };
ThreatLevel currentThreat = NORMAL;
void setup() {
Serial.begin(115200);
pinMode(LED_NORMAL, OUTPUT);
pinMode(LED_WARNING, OUTPUT);
pinMode(LED_CRITICAL, OUTPUT);
digitalWrite(LED_NORMAL, HIGH); // Normal state
Serial.println("Threat Detection System Active");
Serial.println("Commands: SENSOR <value>, DOS, SCAN, STATUS");
}
void loop() {
// Reset rate limiter each second
if (millis() - lastSecond >= 1000) {
requestCount = 0;
lastSecond = millis();
}
if (Serial.available()) {
String input = Serial.readStringUntil('\n');
input.trim();
processInput(input);
}
updateThreatIndicators();
delay(50);
}
void processInput(const String& input) {
// Rate limit check
requestCount++;
if (requestCount > MAX_REQUESTS_PER_SECOND) {
Serial.println("[DOS_BLOCKED] Rate limit exceeded");
raiseThreatLevel(HIGH);
return;
}
if (input.startsWith("SENSOR ")) {
float value = input.substring(7).toFloat();
checkAnomaly(value);
}
else if (input == "DOS") {
Serial.println("[ATTACK] DoS simulation");
raiseThreatLevel(HIGH);
}
else if (input == "SCAN") {
Serial.println("[ATTACK] Port scan detected");
raiseThreatLevel(MEDIUM);
}
else if (input == "STATUS") {
printStatus();
}
}
void checkAnomaly(float value) {
// Z-score calculation
float zScore = fabsf(value - sensorBaseline) / sensorStdDev;
Serial.print("Value: ");
Serial.print(value);
Serial.print(" | Z-score: ");
Serial.println(zScore);
if (zScore > 3.0) {
Serial.println("[ANOMALY] Suspicious reading detected");
raiseThreatLevel(MEDIUM);
} else if (zScore > 2.0) {
Serial.println("[WARNING] Elevated reading");
raiseThreatLevel(LOW);
} else {
Serial.println("[NORMAL] Reading within baseline");
}
}
void raiseThreatLevel(ThreatLevel level) {
if (level > currentThreat) {
currentThreat = level;
Serial.print("[THREAT] Level raised to: ");
Serial.println(level);
}
}
void updateThreatIndicators() {
digitalWrite(LED_NORMAL, currentThreat == NORMAL);
digitalWrite(LED_WARNING, currentThreat >= LOW && currentThreat < HIGH);
digitalWrite(LED_CRITICAL, currentThreat >= HIGH);
}
void printStatus() {
Serial.println("=== SYSTEM STATUS ===");
Serial.print("Threat Level: ");
Serial.println(currentThreat);
Serial.print("Requests this second: ");
Serial.println(requestCount);
Serial.print("Baseline: ");
Serial.println(sensorBaseline);
}SENSOR 24.5 (within baseline, Z-score = 0.25)SENSOR 30.0 (Z-score = 2.5, triggers LOW threat)SENSOR 100.0 (Z-score = 37.5, triggers MEDIUM threat)DOS to simulate attack (triggers HIGH threat)Use this interactive calculator to explore how rate limiting parameters affect brute force attack feasibility.
viewof keyspaceDigits = Inputs.range([3, 8], {value: 4, step: 1, label: "PIN digits"})
viewof attemptRate = Inputs.range([1, 1000], {value: 100, step: 1, label: "Attempts/sec (no rate limit)"})
viewof maxAttempts = Inputs.range([1, 20], {value: 3, step: 1, label: "Max attempts before lockout"})
viewof lockoutSeconds = Inputs.range([5, 600], {value: 30, step: 5, label: "Lockout duration (seconds)"}){
const keyspace = Math.pow(10, keyspaceDigits);
const timeNoLimit = keyspace / attemptRate;
const effectiveRate = maxAttempts / lockoutSeconds;
const timeWithLimit = keyspace / effectiveRate;
const slowdownFactor = timeWithLimit / timeNoLimit;
const formatTime = (seconds) => {
if (seconds < 60) return `${seconds.toFixed(1)} seconds`;
if (seconds < 3600) return `${(seconds / 60).toFixed(1)} minutes`;
if (seconds < 86400) return `${(seconds / 3600).toFixed(1)} hours`;
return `${(seconds / 86400).toFixed(1)} days`;
};
return html`<div style="background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%); padding: 20px; border-radius: 8px; border-left: 4px solid #2C3E50; font-family: system-ui, sans-serif; margin: 10px 0;">
<div style="font-size: 1.1em; font-weight: bold; color: #2C3E50; margin-bottom: 15px;">Brute Force Time Analysis</div>
<div style="display: grid; grid-template-columns: 1fr 1fr; gap: 15px;">
<div style="background: white; padding: 15px; border-radius: 6px; border: 1px solid #dee2e6;">
<div style="color: #E74C3C; font-weight: 600; margin-bottom: 5px;">Without Rate Limiting</div>
<div style="font-size: 0.9em; color: #555;">Keyspace: ${keyspace.toLocaleString()} combinations</div>
<div style="font-size: 0.9em; color: #555;">Rate: ${attemptRate} attempts/sec</div>
<div style="font-size: 1.3em; font-weight: bold; color: #E74C3C; margin-top: 8px;">${formatTime(timeNoLimit)}</div>
</div>
<div style="background: white; padding: 15px; border-radius: 6px; border: 1px solid #dee2e6;">
<div style="color: #16A085; font-weight: 600; margin-bottom: 5px;">With Rate Limiting</div>
<div style="font-size: 0.9em; color: #555;">Effective rate: ${effectiveRate.toFixed(3)} attempts/sec</div>
<div style="font-size: 0.9em; color: #555;">${maxAttempts} attempts per ${lockoutSeconds}s window</div>
<div style="font-size: 1.3em; font-weight: bold; color: #16A085; margin-top: 8px;">${formatTime(timeWithLimit)}</div>
</div>
</div>
<div style="margin-top: 12px; padding: 10px; background: white; border-radius: 6px; text-align: center; border: 1px solid #dee2e6;">
<span style="color: #7F8C8D; font-size: 0.9em;">Rate limiting slows brute force by</span>
<span style="font-size: 1.4em; font-weight: bold; color: #E67E22;"> ${slowdownFactor.toLocaleString(undefined, {maximumFractionDigits: 0})}x</span>
</div>
</div>`;
}Use this calculator to understand how Z-score thresholds affect anomaly detection sensitivity.
viewof sensorValue = Inputs.range([-20, 120], {value: 25, step: 0.5, label: "Sensor reading"})
viewof baseline = Inputs.range([0, 100], {value: 25, step: 0.5, label: "Baseline (mean)"})
viewof stdDev = Inputs.range([0.5, 20], {value: 2, step: 0.5, label: "Standard deviation"})
viewof warningThreshold = Inputs.range([1, 4], {value: 2, step: 0.1, label: "Warning threshold (Z)"})
viewof anomalyThreshold = Inputs.range([2, 6], {value: 3, step: 0.1, label: "Anomaly threshold (Z)"}){
const zScore = Math.abs(sensorValue - baseline) / stdDev;
const isAnomaly = zScore > anomalyThreshold;
const isWarning = zScore > warningThreshold && !isAnomaly;
const isNormal = !isAnomaly && !isWarning;
const statusColor = isAnomaly ? "#E74C3C" : isWarning ? "#E67E22" : "#16A085";
const statusText = isAnomaly ? "ANOMALY - Suspicious reading" : isWarning ? "WARNING - Elevated reading" : "NORMAL - Within baseline";
const statusBg = isAnomaly ? "#fdedec" : isWarning ? "#fef5e7" : "#eafaf1";
const normalMin = (baseline - warningThreshold * stdDev).toFixed(1);
const normalMax = (baseline + warningThreshold * stdDev).toFixed(1);
const warningMin = (baseline - anomalyThreshold * stdDev).toFixed(1);
const warningMax = (baseline + anomalyThreshold * stdDev).toFixed(1);
return html`<div style="background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%); padding: 20px; border-radius: 8px; border-left: 4px solid #2C3E50; font-family: system-ui, sans-serif; margin: 10px 0;">
<div style="font-size: 1.1em; font-weight: bold; color: #2C3E50; margin-bottom: 15px;">Z-Score Anomaly Detection</div>
<div style="background: ${statusBg}; padding: 15px; border-radius: 6px; border: 2px solid ${statusColor}; margin-bottom: 15px; text-align: center;">
<div style="font-size: 0.9em; color: #555;">Z-score = |${sensorValue} - ${baseline}| / ${stdDev} = <strong>${zScore.toFixed(2)}</strong></div>
<div style="font-size: 1.2em; font-weight: bold; color: ${statusColor}; margin-top: 8px;">${statusText}</div>
</div>
<div style="display: grid; grid-template-columns: 1fr 1fr 1fr; gap: 10px;">
<div style="background: #eafaf1; padding: 10px; border-radius: 6px; text-align: center; border: 1px solid #16A085;">
<div style="color: #16A085; font-weight: 600; font-size: 0.85em;">Normal Range</div>
<div style="font-size: 0.85em; color: #555;">${normalMin} to ${normalMax}</div>
<div style="font-size: 0.8em; color: #888;">Z < ${warningThreshold}</div>
</div>
<div style="background: #fef5e7; padding: 10px; border-radius: 6px; text-align: center; border: 1px solid #E67E22;">
<div style="color: #E67E22; font-weight: 600; font-size: 0.85em;">Warning Range</div>
<div style="font-size: 0.85em; color: #555;">${warningMin} to ${normalMin}, ${normalMax} to ${warningMax}</div>
<div style="font-size: 0.8em; color: #888;">${warningThreshold} < Z < ${anomalyThreshold}</div>
</div>
<div style="background: #fdedec; padding: 10px; border-radius: 6px; text-align: center; border: 1px solid #E74C3C;">
<div style="color: #E74C3C; font-weight: 600; font-size: 0.85em;">Anomaly Range</div>
<div style="font-size: 0.85em; color: #555;">Below ${warningMin} or above ${warningMax}</div>
<div style="font-size: 0.8em; color: #888;">Z > ${anomalyThreshold}</div>
</div>
</div>
</div>`;
}Modify the authentication system so tokens expire after 5 minutes of inactivity. Implement automatic logout.
Hint: Track lastActivityTime in the SecurityState struct and check it in loop(). Reset the timer on each valid command.
Add a second factor: after token authentication, require the user to press the button within 10 seconds to complete login.
Hint: Add a pendingAuth state and use millis() to track the 10-second window. The green LED should blink during the waiting period.
Implement simple XOR encryption for commands sent over serial. The key should be established during authentication.
Hint: XOR each character of the command with a key byte. The same operation encrypts and decrypts. Use a shared key derived from the authentication token.
Add a “trap” token that, when used, immediately locks the device and logs the attempt with high severity.
Hint: Add a special token like "HONEY_TRAP_TOKEN" to your token list, but instead of granting access, trigger a lockout with an extended duration and log the source.
Detect attack chains: scan followed by brute force followed by anomalous commands should trigger critical alert.
Hint: Track the sequence of event types in a small circular buffer. When the buffer contains SCAN + AUTH_FAIL + ANOMALY in order, escalate to CRITICAL.
The lab implementations demonstrate real security principles using simplified components. Here is how each lab concept maps to production-grade equivalents:
| Lab Feature | Builds Upon | Enables | Production Equivalent |
|---|---|---|---|
| Serial commands | Direct I/O | Protocol testing | MQTT/CoAP over TLS |
| Hardcoded tokens | Static credential store | Authentication flow | Certificate-based auth, JWT |
| LED indicators | GPIO state output | Visual alerting | Security dashboards, SIEM |
| Serial logging | Event recording | Audit trail | Centralized log aggregation |
| Simple rate limiting | Attack attempt tracking | Brute force prevention | Distributed rate limiting (Redis) |
| Z-score anomaly | Statistical baselines | Behavioral detection | ML models (Isolation Forest, autoencoders) |
| Threat levels | Multi-metric correlation | Graduated incident response | SIEM severity scoring |
Lab Progression: Lab 1 (authentication + rate limiting) prevents the majority of automated attacks through preventive controls. Lab 2 (anomaly detection + threat levels) catches sophisticated attacks that bypass static rules through detective controls. Together, they demonstrate defense-in-depth.
Scenario: A smart building company deploys 250 smart locks across an office complex. Each lock accepts authentication attempts via BLE from employee smartphones. They must decide whether to implement rate limiting to prevent brute force attacks.
Given:
Cost-Benefit Calculation:
Time to Brute Force Without Rate Limiting:
10,000 combinations / 100 attempts/min = 100 minutes = 1.7 hours
Attack feasible: YES (attacker can break in during lunch)
Time to Brute Force With Rate Limiting (3 attempts per 5 min):
Effective rate: 3 attempts / 5 min = 0.6 attempts/min
10,000 / 0.6 = 16,667 minutes = 278 hours = 11.6 days
Attack feasible: NO (impractical for opportunistic attacker)
Implementation Cost:
- Development time: 4 hours x $150/hr = $600
- Testing time: 2 hours x $150/hr = $300
- Code size: 80 lines (negligible flash/RAM impact)
- Runtime overhead: <1% CPU per authentication attempt
Total cost: $900 one-time
Risk Without Rate Limiting:
- Physical security breach probability: 15% per year (based on industry data)
- Average cost per breach: $25,000 (theft, remediation, investigation)
- Expected annual loss: 0.15 x $25,000 = $3,750
Risk With Rate Limiting:
- Breach probability reduced to: 1% per year
- Expected annual loss: 0.01 x $25,000 = $250
Annual savings: $3,750 - $250 = $3,500
ROI: $3,500 / $900 = 389% in year one
Payback period: $900 / $3,500 = 0.26 years = 3.1 monthsDecision: Implement rate limiting. ROI is 389% in year one, and it protects against the most common attack vector (brute force). The CPU overhead is negligible for authentication operations that occur fewer than 10 times per day per lock.
Key Insight: Rate limiting is one of the highest-ROI security controls for authentication systems. The implementation cost is minimal (a few hours of development), but it increases brute force attack time from hours to days, making attacks economically infeasible for most threat actors.
| Criterion | Token/API Key | Certificate-Based (mTLS) | Biometric | Multi-Factor (2FA) |
|---|---|---|---|---|
| Implementation Complexity | Low (1-2 days) | High (1-2 weeks) | Very High (hardware + AI) | Medium (3-5 days) |
| Cost per Device | $0 (software only) | $0.50-3 (secure element) | $5-50 (fingerprint sensor) | $0 (software + user phone) |
| User Friction | None (transparent) | None (transparent) | Medium (enrollment + scan) | High (second device needed) |
| Security Strength | Medium (key theft risk) | Very High (hardware-backed) | High (spoofing possible) | Very High (two independent factors) |
| Offline Operation | Yes (if pre-validated) | Yes (cert on device) | Yes | No (requires network for OTP) |
| Revocation Speed | Instant (server-side) | Slow (CRL/OCSP check) | Impossible (biometric permanent) | Instant (disable OTP) |
| Best For | Low-security sensors, API access | High-security devices, long lifespan | Consumer devices with local access | Critical operations, high-value assets |
| Avoid When | Regulatory compliance (medical, financial) | Cost-sensitive consumer products | Shared devices (family thermostats) | Elderly users, no smartphone access |
Decision Tree:
Example Application:
The Mistake: Many developers implement rate limiting by adding delays (e.g., delay(5000) after failed attempt) instead of using lockout counters.
Example of Flawed Code:
if (!authenticate(password)) {
failedAttempts++;
delay(5000 * failedAttempts); // Wait longer after each failure
}Why This Fails:
delay() keeps CPU active during wait (battery drain on battery-powered devices)Correct Implementation:
unsigned long lockoutUntil = 0;
int failedAttempts = 0;
bool authenticate(String password) {
// Check if currently locked out
if (millis() < lockoutUntil) {
unsigned long remaining = (lockoutUntil - millis()) / 1000;
Serial.printf("[LOCKED] %lu seconds remaining\n", remaining);
return false;
}
if (verifyPassword(password)) {
failedAttempts = 0; // Reset on success
return true;
}
failedAttempts++;
if (failedAttempts >= 3) {
lockoutUntil = millis() + 300000; // 5-minute lockout
// In production: store lockoutUntil in EEPROM/NVS
// sendAlertEmail("Brute force attempt detected");
// logSecurityEvent("LOCKOUT", sourceIP);
}
return false;
}Why This Works:
Real-World Impact: A smart lock manufacturer deployed delay-based rate limiting. Attackers discovered they could force 10-minute delays by submitting wrong codes, effectively creating a denial-of-service that locked out legitimate users. After switching to lockout-based rate limiting with EEPROM persistence, brute force attacks became infeasible (11.5 days per 4-digit PIN vs. 1.7 hours before), and legitimate users experienced no delays.
Security Theory:
Implementation Guides:
Related Labs:
IoT security labs — especially fuzzing, packet injection, and firmware modification — must be performed on isolated lab systems. Running these activities on production hardware risks disrupting legitimate operations and damaging equipment.
The value of a hands-on lab is not completing the steps but understanding what each step reveals. After every lab activity, stop to analyse the results: what security property was demonstrated? What would an attacker learn from this?
Security lab skills are built through reflection on documented findings, not just through completing exercises. Write up each lab with observed results, security implications, and how the demonstrated vulnerability would be fixed in production.
Lab conditions (controlled environment, known hardware, isolated network) differ from production. Lab findings indicate potential vulnerabilities that require additional analysis to confirm exploitability in the specific production deployment context.
These labs demonstrated practical IoT security:
The final chapter provides Visual Resources including diagrams for encryption, attack scenarios, and security architectures.
Continue to Visual Resources
| ← Intrusion Detection | Visual Resources → |